Mailing List Archive

missing root certificate, SMIME spanish government
Hi

I am not sure that my email arrived via gmane.

I received an smime signed email from a colleague. It contains a public
key from
https://www.sede.fnmt.gob.es/descargas/certificados-raiz-de-la-fnmt

Basically the Spanish government.

I installed all its root certificates in

/usr/share/ca-certificates/Spain

And run

sudo dpkg-reconfigure ca-certificates

However when I run
gpgsm --encrypt -r 0xC575B0D4 test.txt

I obtain

pgsm: issuer certificate {B1D44FC42379FA440509C6EB39CFE835B0B82064} not found using authorityKeyIdentifier
gpgsm: looking up issuer from the Dirmngr cache
gpgsm: DBG: chan_5 -> LOOKUP --cache-only #/CN=AC%20FNMT%20Usuarios,OU=Ceres,O=FNMT-RCM,C=ES
gpgsm: DBG: chan_5 <- ERR 167772187 Not found <Dirmngr>
gpgsm: number of matching certificates: 0
gpgsm: dirmngr cache-only key lookup failed: Not found
gpgsm: looking up issuer at external location
gpgsm: DBG: chan_5 -> LOOKUP /CN=AC%20FNMT%20Usuarios,OU=Ceres,O=FNMT-RCM,C=ES
gpgsm: DBG: chan_5 <- ERR 167772187 Not found <Dirmngr>
gpgsm: number of issuers matching: 0
gpgsm: external key lookup failed: Not found
gpgsm: issuer certificate not found
gpgsm: issuer certificate: #/CN=AC FNMT Usuarios,OU=Ceres,O=FNMT-RCM,C=ES
gpgsm: validation model used: shell
gpgsm: can't encrypt to '0xC575B0D4': Missing issuer certificate
secmem usage: 0/16384 bytes in 0 blocks

BTW encryption with that public key works in Thunderbird, and I looked
up its root certificate, I can't see anything I don't have


I start to be desperate, what do I miss?

Thanks

Uwe Brauer
Re: missing root certificate, SMIME spanish government [ In reply to ]
Hello Uwe Brauer,

> I installed all its root certificates in
> /usr/share/ca-certificates/Spain
I usually put the fingerprint of the root certificate in ~/.gnupg/trustlist.txt like this:

```
# CN=COMODO RSA Certification Authority
# O=COMODO CA Limited
# L=Salford
# ST=Greater Manchester
# C=GB
# Checked fingerprint here: https://developer.visa.com/pages/trusted_certifying_authorities
AF:E5:D2:44:A8:D1:19:42:30:FF:47:9F:E2:F8:97:BB:CD:7A:8C:B4 S relax
```
Re: missing root certificate, SMIME spanish government [ In reply to ]
>>> "WT" == Wolfgang Traylor <wolfgang.traylor@posteo.de> writes:
Hello

> Hello Uwe Brauer,
>> I installed all its root certificates in
>> /usr/share/ca-certificates/Spain
> I usually put the fingerprint of the root certificate in ~/.gnupg/trustlist.txt like this:

> ```
> # CN=COMODO RSA Certification Authority
> # O=COMODO CA Limited
> # L=Salford
> # ST=Greater Manchester
> # C=GB
> # Checked fingerprint here: https://developer.visa.com/pages/trusted_certifying_authorities
> AF:E5:D2:44:A8:D1:19:42:30:FF:47:9F:E2:F8:97:BB:CD:7A:8C:B4 S relax
> ```

That is what I tried. However given a cer file, how can I find out its
fingerprint?

In any case I finally solveed the issue by just importing all available
cer into gpgsm and it worked, by mistake was to assume that gpgsm uses
the ones which are installed system wide.
Re: missing root certificate, SMIME spanish government [ In reply to ]
> However given a cer file, how can I find out its fingerprint?
This command will show you the details of the certificates from the website[1]
you mentioned including its fingerprint:

openssl x509 -noout -text -fingerprint -inform DER -in downloaded_key_file.cer

Or you import the key with `gpgsm --import file.cer` and look in the list of
`gpgsm --list-keys`.

[1] https://www.sede.fnmt.gob.es/descargas/certificados-raiz-de-la-fnmt
Re: missing root certificate, SMIME spanish government [ In reply to ]
>>> "WT" == Wolfgang Traylor <wolfgang.traylor@posteo.de> writes:

>> However given a cer file, how can I find out its fingerprint?
> This command will show you the details of the certificates from the website[1]
> you mentioned including its fingerprint:

> openssl x509 -noout -text -fingerprint -inform DER -in downloaded_key_file.cer

Thanks


> Or you import the key with `gpgsm --import file.cer` and look in the list of
> `gpgsm --list-keys`.

Well but if I import the key, then I don't need to add it to the
trustedlist file
Re: missing root certificate, SMIME spanish government [ In reply to ]
On Sat, 1 Jun 2019 14:49, oub@mat.ucm.es said:

> Well but if I import the key, then I don't need to add it to the
> trustedlist file

The trustlist.txt list those certificates which are valid as root
certificates. Importing a certificate does not add it to this list for
obvious reasons: All kind of certificates are imported all the time
without the user noticing (e.g. those sent as part of an S/MIME mail).
Root certificates are the trust anchor and thus we need the user's consent
to use them in such a way.

By default gpgsm asks you whether a certificate, which technically can
act as root certificate, shall be granted the trusted status (i.e. used
as a root certificate by being added to trustlist.txt). You can change
this default by adding "no-allow-mark-trusted" to gpg-agent.conf.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: missing root certificate, SMIME spanish government [ In reply to ]
On Sat 2019-06-01 12:14:00 +0200, Uwe Brauer wrote:
> In any case I finally solveed the issue by just importing all available
> cer into gpgsm and it worked, by mistake was to assume that gpgsm uses
> the ones which are installed system wide.

I agree that gpgsm integration with the system keyring is lacking.
Please see https://bugs.debian.org/888025 for discussion on how that
might be improved. I'd love to hear any feedback or thoughts there.
(and would be even happier to receive patches i could review).

--dkg